Firewall/Router Rules

The main router/firewall is protection from the outside world. If the router has DMZ capability, please set up the DMZ IP address to have the same subnet range as the office LAN. This will make it easier to scale up web listeners that talk to the Web Server.

This diagram identifies which traffic is required for Theatre Manager to work in the card holder environment per PCI requirement 1.2.1

Any traffic not required should be denied - and the router should be set to 'deny all' unless explicit permission is given.

All traffic is TLS 1.2 or better, including to and from:
  • database and internal workstations
  • patrons using internet browsers and NGINX
  • NGINX and web listeners
  • Web Listeners and database
  • credit card providers

In the example below, we'll refer to IP addresses

  • in the office VLAN as 192.168.1.x
  • in VLAN2 (containing wireless devices and/or machines not subject to PCI) as 192.168.2.x
  • and use 192.168.1.10 as the inside address of the DMZ where the Web Server resides, protected on both sides by firewall rules. The outside IP address (internet) also authenticated and verified using an TLS Certificate.

  • The lighter red arrows on the diagram represent places where you could place restrictive rules from specific machines to specific machines. Those rules are outlined in the table below the diagram.
  • The number in the first column of the table refers to the same number on the diagram to give an idea what kind of rules are required for each component. If you combine some services on to the same machine, you will need to aggregate the rules.
  • All ports in the table are TCP
  • Rules are for INITIATED connections (outbound connections). Meaning a machine starts the connection.
  • If an inbound message occurs on an approved port, then ANY port can be used for outgoing response. (i.e. do not block responses to approved inbound messages.

    For example: Item #1, the postgres server, only needs port 5432 incoming to that device. You would turn on the personal firewall on the machine so that it only opens that port.

If you prefer to view the firewall rules from the perspective of specific ports, please refer to ports used by Theatre Manager

Item Machine and Purpose Subject to PCI Virus S/W Inbound Port Rules Outbound Port Rules
1 PostgreSQL server

database

depends no*
  • 5432 from any 192.168.1.x (note: traffic to DB will be using TLS 1.2)
  • all to 192.168.1.x
  • 37 to NTP server
2 Remote Box Office via VPN
(or terminal server)
yes yes*
  • as needed from internet
  • all to internet
  • 5432 to 192.168.1.2 (Postgres Server)
3 Web Services (TM Listener) yes no*
  • 443 from 192.168.1.10 (NGINX server)
  • 8111 from other TM listeners if they exist
  • any from 192.168.1.2 (Postgres server)
  • any to 192.168.1.10 (NGINX web server)
  • 5432 to 192.168.1.2 (Postgres)
  • 53 for DNS, MX lookup
  • 37 to NTP server
  • 443 to
    • www2.artsman.com and
    • downloads.artsman.com
  • 80 to maps.googleapis.com/maps/api/geocode
  • 25 (or 465 or 587) to SMTP server (as required)
  • 110 to pop server for Facility Mgt
  • 443 outgoing to credit card provider
  • 443 outgoing to ippos.moneris.com if using a P400 EMV device from Moneris
4 Box Office Workstations yes yes*
  • all from 192.168.1.x
  • 80, 443, 8111 to 192.168.1.10 (web server)
  • 5432 to 192.168.1.2 (postgres)
  • 53 for DNS, MX lookup
  • 37 to NTP server
  • 443 to
    • www2.artsman.com and
    • downloads.artsman.com
  • 80 to maps.googleapis.com/maps/api/geocode
  • 80 to www.google.com/maps/api/staticmap
  • 80 to help.theatremanager.com
  • 443 outgoing to credit card provider
  • 443 outgoing to ippos.moneris.com if using a P400 EMV device from Moneris
5 Ticket Printer no n/a
  • 10001 from 192.168.1.x (or whatever port the printer is set on
  • all to 192.168.1.x
6 Web Server (NGINX) yes yes*
  • 80, 443 from internet
  • port 443 to 192.168.1.9 (Web Services TM Listener)
7 Outside of Firewall no n/a
  • 80,443 from internet
  • xxxx from internet or Term Services
  • forward 80,443 to 192.168.1.10 (NGINX Web Server - which automatically escalates to 443 using TLS 1.2 or later)
  • forward xxxx to 192.168.1.4 (Term Server)
8 Internal Wireless Router no n/a
  • all from 192.168.1.1
  • specific to 192.168.2.1 as required
9 Venue Lan computers not handling credit cards
no yes
  • all from 192.168.2.1
  • as needed to 192.168.1.1
10 wireless ticket scanners no n/a  
  • Ticket scanning occurs through the internet via tickets.yourvenue.org and port 443. Open ports to allow scanning traffic to the outside of the router